Enforcement Actions – Cyber Bloghttps://www.dpwcyberblog.com
Focused commentary on the latest in cybersecurity preparedness, regulatory compliance and incident responseThu, 21 Mar 2019 13:58:47 +0000en-UShourly1https://wordpress.org/?v=4.9.10https://cyberbreachcenterfullservice.davispolkblogs.com/wp-content/uploads/sites/33/2018/06/cropped-favicon-1-32x32.pngEnforcement Actions – Cyber Bloghttps://www.dpwcyberblog.com
32322019 Predictions – Top 10 Cybersecurity/Privacy Trends to Prepare for Nowhttps://www.dpwcyberblog.com/2019/01/2019-predictions-top-10-cybersecurity-privacy-trends-to-prepare-for-now/
Tue, 15 Jan 2019 14:45:22 +0000https://www.dpwcyberblog.com/?p=1069Continue Reading]]>2018 was another busy year for lawyers in the privacy/cybersecurity world – GDPR, CCPA, Marriott, New York Department of Financial Service’s cybersecurity rule deadlines, increased SEC enforcement, more data breach lawsuits, more companies doing table top exercises and risk assessments, etc. But 2019 is looking to be even busier. Below are our predictions for the Top 10 things that will keep us busy in 2019, and what companies should be preparing for:

1. Consumer Consent

Figuring out what kind of consent is needed from clients and customers in order to use or sell their personal data for commercial purposes is going to be increasingly important in 2019. In 2018, consumers and politicians voiced serious concern over how personal information is collected, used and shared. In response, European regulators have used their new powers under the GDPR to sanction companies for failing to obtain proper consent for data processing, as in the case of the ICO’s October 2018 enforcement notice to a Canadian data analytics company. Private actions are also being brought under the GDPR alleging that the form of consent being obtained by tech companies is inadequate. In the U.S., the California Consumer Privacy Act (“CCPA”), effective January 1, 2020, grants a limited opt-out right to consumers for the sale of personal information to third parties. Similarly, a number of proposed federal privacy laws would mandate disclosure of the categories of personal information stored and shared by companies, and provide for either opt-in or opt-out consent regimes. We expect that 2019 will see state and federal governments increasing the requirements for, and the scrutiny of, consent to collect and use consumer data.

2. Data Breach Shareholder Class Actions

The number of class action securities cases arising out of data breaches, and the costs to resolve them, rose dramatically in 2018 and will continue to rise in 2019. In 2018, several cyber-related class action securities cases made their way through federal courts, including against Marriott, Equifax, Intel, Chegg and Huazhu. One factor in this heightened activity is that large cyber breaches are increasingly resulting in significant stock declines. Equifax, for example, lost more than 25% of its market capitalization following announcement of its data breach. Another factor is the increase in perceived viability of these cases following Yahoo’s settlement with investors for $80 million over claims that the company failed to disclose prior data breaches. We expect this trend to continue in 2019, with even more cases being filed.

3. Expanding Notions of Harm

In 2019, we expect to see courts and regulators expand what constitutes harm in connection with a data breach beyond concrete economic injury. In 2018, we coveredthe different approaches being taken by various United States Courts of Appeal on what kind of injury is required for standing under Article III in a class action data breach case. After previously declining to revisit the issue, the Supreme Court seems poised to tackle the topic in 2019. Appellants in Zappos.com, Inc. v. Stephens filed a petition for a writ of Certiorari in September 2018 to settle the circuit split. That petition went to conference on December 7, 2018. Whatever the outcome in the Supreme Court, we are also expecting new federal and state laws to provide statutory damages for individuals whose personal data has been accessed without authorization, like those implemented under the CCPA. The increasing public outcry over large-scale data breaches has resulted in regulators, politicians, and consumers calling for more accountability from companies that have experienced major hacks, and in 2019, either the courts or the legislators (or both) will respond by expanding what is recoverable in cyber breach cases beyond concrete economic harm.

4. Cybersecurity Negligence Claims

In 2019, we will see an increase in ordinary negligence actions brought by individuals whose data has been accessed because of businesses’ poor data privacy or security measures. In November, the Pennsylvania Supreme Court ruled that a hospital had a legal duty to use reasonable care to protect personal information it collected from workers in the course of their employment. The court permitted recovery for purely economic damages under a negligence theory. By recognizing a common law duty to protect data, it seems that, at least in Pennsylvania, employers can be sued for purely pecuniary loss arising from failure to protect employee data. The justices explained that protecting personal data is not a new affirmative duty but rather an existing duty applied to a “novel factual scenario.” Accordingly, we expect that in 2019 plaintiffs will increasingly bring negligence causes of action in cyber cases to expand this ruling beyond employees to customers, and beyond Pennsylvania.

5. Targeted Cyberattacks Will Increase

An uneasy international political climate in 2019 likely means more cyber activity by nation states and affiliated actors. And with all the personal data that was leaked in 2018, hackers have a lot to work with in 2019. Threat actors can take information available from other cyber attacks, combine it with publicly available data on company webpages and other public sites, and use that data for attacks like credential stuffing and help desk fraud, also known as “vishing” (voice phishing). In vishing scams, a person calls a company support phone number for HR or IT, with enough personal information about an employee to successfully impersonate them in order to (1) obtain even more information (such as an Employee ID number) to be used later, (2) have a sensitive document or an email password mailed to a non-work email address controlled by the hacker, or (3) change the wire instruction for the employee’s paycheck to the hacker’s account. This kind of information is also being used to craft very credible targeted phishing emails to specific VIP targets (“whaling”). As the sophistication of targeted attacks increase, it will be even more important for organizations to conduct regular employee training on how to detect them.

6. Vendor Risk Management

In 2019, regulators will get serious about vendor cybersecurity risk management. The NYDFS cybersecurity rules require its regulated entities, by March 1, 2019, to have a vendor diligence program that includes (1) procedures to identify and assess vendor risks, (2) policies outlining the “minimum cybersecurity practices” and cooperation obligations required of vendors, (3) due diligence procedures to evaluate the vendor’s cybersecurity practices and (4) procedures to complete periodic tests of the risks and cybersecurity practices of vendors. As the NYDFS acknowledges in its FAQ on third-party cybersecurity due diligence, there is no “one-size-fits-all solution,” and companies need to take a risk-based approach to figuring out what obligations they will impose on their vendors to ensure that all their efforts to secure their data won’t be undone by their vendors’ failure to follow suit. Additionally, under the GDPR, companies may only use vendors that provide sufficient guarantees that they will implement appropriate measures to protect the personal data such vendors are processing on behalf of companies. The GDPR also imposes an obligation on companies to enter into written agreements with their vendors with respect to any processing of personal data on their behalf, which must include specific requirements regarding, among other things, data security obligations, the use of sub-processors, data breach notification obligations and cooperation regarding data subject requests. We have previously discussed some tips for what companies can do to manage their vendor cybersecurity risk. The OCC, FINRA, and the NFA have all emphasized the importance of vendor cybersecurity diligence, and the SEC Office of Compliance Inspections and Examinations has listed vendor management as one of its main focus areas for 2019.

7. Regulation of the Internet of Things (“IoT”)

As 2018 saw an explosion of Internet-connectivity incorporated into everyday objects, in 2019, we expect to see an increase in both exploitation and regulation in this space. IoT devices have long been a prime target for threat actors, including, notably, the Mirai Botnet prosecuted by the Department of Justice in 2017. Despite a history of exploitation, and various attempts by lawmakers in 2017 and 2018, Congress has passed no federal legislation governing IoT devices. The FTC has brought enforcement actions against IoT companies for unfair trade practices and held recent public hearings covering the topic. But FTC Commissioner Slaughter has noted that her agency continues to see organizations failing to (1) consider security during the design of IoT devices, (2) have processes to identify and address potential vulnerabilities and (3) properly update and patch deployed products and services. California did pass legislation in August 2018, SB-327, effective January 1, 2020, that will mandate “reasonable security features” for Internet-connected devices that are “designed to protect the device and any information contained therein from unauthorized access, destruction, use, modification or disclosure.” Just as states have led the way on data breach notification in the United States, we can expect states to lead on IoT regulation absent federal preemption.

NYDFS Superintendent Maria T. Vullo will be leaving the department on February 1, 2019. Upon announcing her departure, Superintendent Vullo stated that she is “especially proud to have led the DFS in cybersecurity.” In 2019, we expect the DFS’s prominence in cybersecurity supervision to grow. As noted in the Department’s recent memorandum, “DFS examiners have been including cybersecurity in all regular examinations” (emphasis added). The final compliance phase-in date under the DFS’s regulations is March 1, 2019, which as noted above, includes requirements for vendor diligence. With the full set of its cyber rules in effect, and examinations well underway, 2019 will be the year that the DFS becomes a big player in cybersecurity supervision.

10. SEC Cyber Enforcement Goes Beyond Disclosure

Recent developments at the SEC portend greater cyber enforcement in 2019. The SEC named cybersecurity as one of five topics in its 2018 National Exam Program Examination Priorities, placing companies on notice that it will substantively monitor cyber security practices and bring enforcement actions following cybersecurity incidents. In its October 2018 21(a) Report on Cyber-Related Frauds, the SEC emphasized a company’s obligation to account for cyber-related threats when designing internal accounting controls, and indicated that failure to take appropriate steps could result in an enforcement action. The same month, the SEC announced a $1 million settlement with Voya Financial Advisors Inc. for failure to implement reasonably designed cybersecurity policies to detect identity theft risks or respond to cybersecurity attacks. In short, expect the SEC to bring cyber-related enforcement actions in 2019, both for disclosure issues, and for companies that fail to have reasonable policies and procedures.

We will be monitoring these issues here at the Davis Polk Cyber Blog and will post regularly on any significant developments.

The Davis Polk Cyber Portal provides dozens of resources to help our clients comply with their cybersecurity and privacy regulatory obligations.

The authors gratefully acknowledge the assistance of law clerks Sam Pfotenhauer and Brett Workman in preparing this entry.

]]>Avi Gesser Interviewed by The Cybersecurity Law Report on Recent SEC Enforcementhttps://www.dpwcyberblog.com/2018/11/avi-gesser-interviewed-by-the-cybersecurity-law-report-on-recent-sec-enforcement/
Fri, 02 Nov 2018 13:42:36 +0000https://www.dpwcyberblog.com/?p=1055Continue Reading]]>Avi Gesser was interviewed by The Cybersecurity Law Report in an October 31, 2018 article regarding recent SEC cybersecurity enforcement actions and how firms can meet their regulatory obligations to reduce the risk of business email compromise scams.
]]>SEC Penalizes Cybersecurity Weaknesshttps://www.dpwcyberblog.com/2018/10/sec-penalizes-cybersecurity-weakness/
Tue, 23 Oct 2018 12:35:31 +0000https://www.dpwcyberblog.com/?p=1049Continue Reading]]>A recent SEC Order should be a reminder to registered entities, including small- and medium-sized firms, that the SEC is monitoring the reasonableness of their cybersecurity policies and procedures, and that it may take action in the event of a breach, even in the absence of economic harm.

The SEC’s $1 million settlement with broker-dealer and registered investment adviser Voya Financial Advisors Inc. followed the theft of personally identifiable information of thousands of Voya’s customers. The Order is the first settled SEC action to include a violation of the Identity Theft Red Flags Rule (Rule 201 of Reg S-ID), which Dodd-Frank assigned to the SEC in 2011. The case also extends the SEC’s existing pattern of bringing actions under the Safeguards Rule (Rule 30(a) of Reg S-P) against registered entities—including R.T. Jones Capital Management and Craig Scott Capital—that the SEC views as having failed to take reasonable measures to protect their data against evolving cyber threats.

As part of the settlement, Voya agreed to retain an independent consultant to review and make recommendations regarding Voya’s policies and procedures for compliance with Reg S-ID and Reg S-P.

According to the Order, over six days in April 2016, attackers exploited gaps in Voya’s technical support procedures to obtain usernames and passwords for Voya’s consultant web portal, through which they accessed and stole Voya’s confidential customer data.

The attackers, posing as Voya consultants, called Voya’s technical support line three times and obtained temporary passwords for the consultants’ portal accounts. On two of these three occasions, the support staff also provided the associated account usernames, against company policy.

Voya had known it was a target for “vishing” (voice phishing) attempts, and had maintained a list of numbers associated with prior fraudulent activity. But Voya did not require its support staff to check that list when providing password information. As a result, they failed to detect that the attackers had twice called using a number previously flagged for fraudulent activity.

Hours after the first call, the real account holder notified Voya that he had received an unprompted password reset confirmation email. The issue was escalated to Voya’s Incident Response Team.

But before Voya had a chance to alert the rest of its staff and tell them not to provide temporary passwords by phone, the attackers had called again and obtained a second temporary password using the same method. And then, despite the alert and the instructions given, the attackers obtained yet another password from the support line soon after.

Meanwhile, even after identifying the malicious activity, including the attackers’ IP addresses, Voya’s Incident Response Team did not take steps to block access to affected accounts, to terminate ongoing web sessions, or block traffic from the attackers’ IP addresses.

Using the portal login information, the attackers were able to access at least 5,600 Voya customers’ personally identifiable information, including the full Social Security or government-issued identification numbers for at least 2,000 customers. The Order notes that there were no known unauthorized transfers of funds or securities from customer accounts as a result of the attack.

The SEC found that Voya had willfully violated both the Safeguards Rule and the Identity Theft Red Flags Rule. The Safeguards Rule generally requires broker-dealers and investment advisers registered with the SEC to adopt written policies and procedures that are reasonably designed to safeguard customer records and information. The Red Flags Rule requires certain registered broker-dealers and investment advisers to develop and implement a written identity theft prevention program that is designed to detect, prevent and mitigate identity theft in connection with the opening of certain accounts.

The SEC found that Voya violated the Safeguards Rule because its cybersecurity policies and procedures to protect customer information and to respond to cybersecurity incidents were not reasonably designed to meet those purposes. Among other technical and operational deficiencies, the SEC noted that Voya did not have reasonable practices with respect to resetting contractor representatives’ passwords, terminating contractor web sessions in the portal, applying controls to consultant accounts, identifying high-risk accounts for additional security measures, or blocking IP addresses associated with known malicious activity.

The SEC found that Voya violated the Red Flags Rule because it did not review and update its 2009 Identity Theft Prevention Program in response to changes in the threat environment and did not provide adequate training to its employees. The SEC also found that Voya’s program did not include reasonable policies and procedures to respond to identity theft red flags, such as those that were detected in the course of the April 2016 intrusion.

In the Voya Order, the SEC is once again putting the industry on notice that it is monitoring the reasonableness of firms’ cybersecurity policies and procedures, that it will assess those programs using a highly fact-specific standard, and that it will expect them to respond effectively to the ever-evolving threats faced by the industry. Registered entities, including broker-dealers and investment advisers, should consider revisiting their programs related to the protection of personally identifiable information and other sensitive data (including, where applicable, Identity Theft Prevention Programs) on a regular basis.

The Davis Polk Cyber Portal is now available to assist our clients in their efforts to maintain compliance with their cybersecurity regulatory obligations. If you have questions about the Portal, please contact avi.gesser@davispolk.com.

]]>Davis Polk Memo – Adding Insult to Injuryhttps://www.dpwcyberblog.com/2018/10/davis-polk-memo-adding-insult-to-injury/
Fri, 19 Oct 2018 13:28:42 +0000https://www.dpwcyberblog.com/?p=1037Continue Reading]]>We have issued a memo on a Section 21(a) report of investigation from the Securities and Exchange Commission, which warns that cyber incidents may lead to enforcement action.

]]>NYDFS Brings Its First Cybersecurity Enforcement Actionhttps://www.dpwcyberblog.com/2018/06/nydfs-brings-its-first-cybersecurity-enforcement-action/
Fri, 29 Jun 2018 13:32:00 +0000https://www.cyberbreachcenter.com/?p=789Continue Reading]]>We had previously predicted that the Equifax data breach could lead to increased state-level cybersecurity enforcement. On June 27, the NYDFS announced that Equifax has agreed to take corrective action for its 2017 data breach, as set forth in a consent order reached with the NYDFS and seven other state banking regulators. This enforcement action comes quickly after the NYDFS was given authority to regulate credit reporting agencies for cybersecurity. The order requires Equifax to improve its cybersecurity practices in several areas and includes very specific requirements. More broadly, the order provides a glimpse into what the NYDFS views as sound cybersecurity practices, which may be of interest to NYDFS-regulated entities, as well as companies that purport to be NYDFS cyber-compliant. The order includes the following requirements:

Information Technology: The Equifax board must review and approve a written risk assessment that identifies (1) foreseeable threats and vulnerabilities to the confidentiality of personally identifiable information; (2) the likelihood of threats; (3) the potential damage to the company’s business operations; and (4) the safeguards and mitigating controls that address each threat and vulnerability.

Audit: To improve the oversight of Equifax’s audit function, the Equifax Audit Committee must oversee the establishment of a formal and documented internal audit program that is capable of effectively evaluating IT controls and that complies with the internal audit charter.

Board and Management Oversight: Equifax shall improve the oversight of its Information Security Program. The board or, if appropriately authorized, the Technology Committee of the board shall:

Approve a consolidated written Information Security Program and Information Security Policy and annually thereafter;

Review an annual report from management on the adequacy of the company’s Information Security Program;

Enhance the level of detail within the Technology Committee and board minutes, or respective meeting package, by documenting relevant internal management reports (i.e., approval of a formal, written information security risk assessment);

Review and approve IT and information security policies and ensure they are up-to-date and applicable; and

Ensure that the company’s Security Incident Handling Procedure Guide includes up-to-date incident-related procedures and clarifies the roles and relationships of the groups involved in the incident response.

Vendor Management: Equifax must improve oversight and documentation of critical vendors and ensure that sufficient controls are developed to safeguard information.

Patch Management: Equifax must improve standards and controls for supporting the patch management function. An effective patch management program must be implemented to reduce the number of unpatched systems and instances of extended patching time frames.

Information Technology Operations: Equifax must enhance oversight of IT operations as it relates to disaster recovery and business continuity function.

]]>Cyber Breach Disclosure Now Comes With Limited Privilege Waiver Protection, If You’re Carefulhttps://www.dpwcyberblog.com/2018/02/considering-disclosing-a-cyber-breach-to-law-enforcement-you-may-have-some-limited-protection-against-privilege-waiver/
Tue, 06 Feb 2018 15:15:13 +0000https://www.cyberbreachcenter.com/?p=616Continue Reading]]>One of many difficult decisions that companies face following a cyber breach is whether to disclose it to law enforcement. There are several advantages to involving the FBI in a breach response: they may (1) have seen this kind of hack before; (2) know the malware or persons involved; (3) be able to provide helpful information on the motivation for the attack; (4) tell you what else to look for on your systems; and (5) help you to mitigate any vulnerability. To the extent that any money has been fraudulently obtained, involving law enforcement also increases the likelihood of being able to get it back. And in the case of ransomware attacks, law enforcement may have insights into whether there are ways to unlock the affected devices, whether the underlying data is likely intact, and whether the attacker is likely to do what they promise if you pay.

Nevertheless, companies are often reluctant to involve law enforcement, especially in the early days following a breach, for fear that they will waive attorney-client privilege over their investigation into what happened, and that whatever is shared with the FBI will be subject to discovery in a subsequent civil case or regulatory investigation.

Indeed, cyber investigations present unique challenges for lawyers attempting to preserve the privilege. Such investigations will have business, regulatory, and litigation components—each with distinct and sometimes conflicting goals, requiring input and direction from different stakeholders both in and outside the company. As new individuals or entities are informed of the results of the investigation, the risk of waiver increases. This is not to say that a cyber investigation necessarily leads to waiver, but rather that special attention should be paid to the purposes and circumstances of a prospective investigation—prior to its inception—in order to minimize that risk.

Although that is a positive development, recent cases on what constitutes privilege in cyber breach investigations demonstrate that CISA may not provide much protection if companies do not take proper steps to create and maintain privilege in the first place. In order words, CISA can protect privileged information, but it cannot create a privilege where it has already been waived or did not exist in the first place.

For example, in In re Premera Blue Cross Customer Data Security Breach Litigation, Case No. 3:15-md-2633-SI, 2017 WL 4857596 (D. Or. Oct. 27. 2017), the company used a third-party data security consultant to conduct a review of the company’s data management system, which resulted in the discovery of certain malware. Thereafter, the company retained outside counsel and entered into an amended statement of work with the consultant, stipulating that all future work be supervised by counsel. That revised SOW neglected to change the scope of the work, however. The court was not convinced that the remediation report and related documents prepared by the consultant were created “because of” anticipated litigation or would not have been created in substantially similar form but for the prospect of litigation, and because the burden is on the party asserting the privilege, the court concluded that the report could not be withheld.

By contrast, the court in In re Experian Data Breach Litigation, Case No. 8:15-cv-01592 (C.D. Cal. May 18, 2017), denied a motion to compel production of documents related to an investigation performed by a third-party data security consultant where, in the wake of the breach, Experian’s outside counsel retained the consultant to conduct an expert report analysis to assist counsel in providing legal advice to Experian. Although Experian had previously worked with the third-party data consultant, that fact was irrelevant to the court’s determination because the work previously performed by the consultant was “separate” from the work performed after the breach, which had been done at the direction of counsel.

Another way to address these risks is to have two entirely separate investigations. For example, the company in In re Target Corp. Customer Data Security Breach Litigation, MDL No. 14-2522 (PAM/JJK), 2015 WL 6777384 (D. Minn. Oct. 23, 2015), had two parallel investigations—an internal breach investigation, the results of which were not privileged, and an external breach investigation, overseen by counsel and involving a third-party expert retained through counsel, the results of which were privileged since the latter was developed for the express purpose of facilitating counsel’s legal advice. Upon in camera review, the court recognized the privilege and denied the motion to compel production of documents related to Target’s second investigation.

In light of these kinds of cases, companies wishing to avail themselves of CISA’s non-waiver protections are being careful to keep legal and business functions separate in cyber investigations, and are ensuring that work performed by third parties and other non-attorneys is done in support of a legal investigation and at the direction of counsel.

These companies are also trying to reduce the risk of waiver when dealing with privileged materials by limiting the distribution of work product and by providing law enforcement with oral briefings—to the extent possible.

The listed lawyers gratefully acknowledge the assistance of law clerk Molly O’Malley Clarke in preparing this post.

]]>The Rise of State Consumer Protection Act Cyber Caseshttps://www.dpwcyberblog.com/2017/12/rise-of-state-consumer-protection-act-cyber-cases/
Fri, 01 Dec 2017 14:51:17 +0000https://www.cyberbreachcenter.com/?p=586Continue Reading]]>Plaintiffs in data breach cases have tried many theories of recovery, including negligence, negligence per se, violations of state data protection statutes, violations of the Fair Credit Reporting Act, breach of fiduciary duty, and violations of the constitutional right to privacy, with mixed results.

Courts have rejected many of these claims, but plaintiffs and regulators are increasingly having success with allegations of unfair business practices. At the federal level, the Federal Trade Commission (“FTC”) has obtained settlements in some of the largest breach settlements using this approach, including a $1.6 million settlement with Ashley Madison. We are now seeing a rise in state-law consumer protection cyber cases which are attractive to plaintiffs because these laws exist in every state and are interpreted liberally by courts.

The Massachusetts Attorney General filed a complaint against Equifax in September alleging violations of the Consumer Protection Act (“CPA”) for Massachusetts, and numerous individuals and entities nationwide are also bringing CPA claims against Equifax in other actions. For instance, Montana residents and consumers have filed a class action claiming that Equifax violated Montana’s CPA and engaged in unfair or deceptive practices when it continued to accept credit card information before it purged its systems of the hackers’ malware. Plaintiffs in an ongoing suit against Yahoo! alleged, among other things, violations of California’s CPA. The class action brought by banks against Target, which settled for $39 million, alleged violations of multiple states’ CPAs. The Home Depot data breach settlement also included claims for violation of eight CPAs.

Earlier this year, an action was brought by a purported class of financial institutions against Eddie Bauer in the wake of a 2016 data breach that is alleged to have compromised credit and debit card information at approximately 350 Eddie Bauer stores. Recently, the court in that case dismissed the plaintiffs’ common law negligence claim (finding no legal duty), but allowed the unfair and deceptive business practices claim to proceed. Washington’s CPA provides that “unfair or deceptive acts or practices in the conduct of any trade or commerce are . . . unlawful,” and similar language is found in most other state CPAs.The court in Eddie Bauer found that the alleged failure to take proper measures to protect credit card information could constitute an unfair act under the statute. Eddie Bauer had argued that the CPA claims should not proceed because the harm was caused by a criminal third party, but the court rejected that argument and applied a but-for proximate causation standard. The survival of these unfair business practices claims means that we are likely to see more state law CPA cyber cases in the future, and we will be sure to provide updates on interesting developments in this area.

]]>One Million Dollar Breach Notification Fine for Indian Bank Shows Increased Efforts by Regulators to Force Information Sharing Following a Breachhttps://www.dpwcyberblog.com/2017/10/one-million-dollar-breach-notification-fine-for-indian-bank-shows-increased-efforts-by-regulators-to-force-information-sharing-following-a-breach/
Mon, 30 Oct 2017 16:28:09 +0000https://www.cyberbreachcenter.com/?p=560Continue Reading]]>The $1 million fine that was recently levied against Yes Bank shows the increasing risks of failing to provide timely breach notification. On October 23, 2017, the Reserve Bank of India (“RBI”) announced that it was fining India’s Yes Bank $1 million USD for failing to comply with RBI’s breach notification requirement, among other violations. Yes Bank experienced a cyber breach around May 2016, but did not become aware of the incident until September 2016. After learning of the incident, Yes Bank did not report the breach, which RBI viewed as a violation of the bank’s obligation to report within 6 hours of discovery.

This $1 million fine represents a dramatic escalation in breach notification enforcement. To date, there have been relatively few such cases, and most have resulted in resolutions with much smaller penalties. Following the criticism of Yahoo! and Equifax for their untimely breach notifications, the Yes Bank fine may be a sign that regulators are starting to aggressively enforce breach notification laws. Like Yes Bank, many U.S. institutions have very short breach notification deadlines, including those that are subject to the 72-hour notification requirements in the New York Department of Financial Services (“NYDFS”) cyber rules, and the thousands of U.S. companies that will be subject to the European Union’s General Data Protection Regulation come May 2018.

Traditionally, breach notification requirements were designed to alert people that their personal information had been stolen, so that they could take steps to prevent fraud and identity theft. But increasingly, regulators have been using these obligations to gather information on threats and alert other private companies of increased risks, so that they can take appropriate precautions. U.S. companies are certainly encouraged to share information on cyber threats. The U.S. Department of Homeland Security maintains an Automated Indicator Sharing program, which facilitates almost real-time information sharing on cyber threats. Companies can also share information with other private sector entities through various Information Sharing and Analysis Centers or ISACs. But information sharing has generally not been mandatory, and many companies have declined to do so. Some have found it difficult to share cyber threat information without also sharing sensitive company or client data. Others believe that they have devoted far more resources to cybersecurity than their competitors, and are therefore reluctant to just hand over what their view as a valuable competitive advantage.

Following the Bangladesh Bank hack, and noting that “banks are hesitant to share cyber-incidents faced by them,” RBI required the banks that it regulates to report all unusual cybersecurity events, including unsuccessful attacks, within 6 hours of discovery, to allow it to issue a timely warning to other banks. Similarly, a recent FAQ posted on the NYDFS website notes that certain significant and unusual cyber attacks should be reported, even if unsuccessful, “to facilitate information sharing about serious events that threaten an institution’s integrity and that may be relevant to the Department’s overall supervision of the financial services industries.” So, it seems that if companies do not see the value of sharing threat information following a breach to the industry as a whole, regulators are becoming inclined to force hub-and-spoke threat sharing through existing breach notification regimes.

We will keep a close eye on this significant development, which will make it even more important that companies are able to ascertain all of their various state and federal notification obligations quickly following a breach. The Davis Polk Cyber Breach Portal, which will launch early next year, has many resources to help with notification rules, including a simple, query-based tool that assists clients in quickly assessing their cyber breach notification obligations in 48 states and under HIPAA and Gramm-Leach Bliley. The Portal is current being beta tested by a select group of clients.

The listed lawyers gratefully acknowledge the assistance of law clerk Zachary Shapiro in preparing this post.

]]>Will Equifax Lead to Increased State-Level Cybersecurity Enforcement?https://www.dpwcyberblog.com/2017/09/will-equifax-lead-to-increased-state-level-cybersecurity-enforcement/
Mon, 25 Sep 2017 18:31:52 +0000https://www.cyberbreachcenter.com/?p=513Continue Reading]]>Regulators in almost every U.S. state have the authority to enforce cybersecurity compliance under their state’s laws, but until recently, they have rarely exercised this power, leaving enforcement mostly to federal agencies like the FTC. With the recent Equifax breach, this appears to be changing.

The Massachusetts Attorney General filed a complaint against Equifax on September 17, 2017, asserting that Equifax violated Massachusetts Data Security Regulations by failing to safeguard personal information of credit applicants. The complaint also includes claims for unfair acts and deceptive trade practices for the same alleged lapses in cybersecurity.

In addition, the complaint alleges that Equifax failed to provide the Massachusetts Attorney General and affected consumers with timely notice of the breach under the Massachusetts Security Breach Law. Section 3 of that statute requires that companies provide notice of a cyber breach to the Massachusetts Attorney General (and to the owner or licensor of the data if the company only maintains and does not own the data) “as soon as practicable and without unreasonable delay” once a company knows about the security breach. The Massachusetts Attorney General argues that Equifax’s six-week delay in notifying those affected by the breach was too long.

Other states could bring similar complaints. There are reports that Attorneys General (“AG”) from New York, Illinois, and Pennsylvania have contacted Equifax, and that New York’s AG, Eric Schneiderman, has opened an investigation. Almost every state has a breach notification requirement similar to the Massachusetts statute, and eighteen states, including Texas and New Jersey, also have requirements that companies protect personally identifiable information. In light of recent high-profile breaches, other states are likely to enact similar regulations. Additionally, most states have consumer protection statutes prohibiting unfair acts and deceptive trade practices similar to the ones being used by Massachusetts in the Equifax case. While these state statutes have not been used previously in actions relating to cybersecurity breaches, this also may change, depending on what happens in the Massachusetts case.

On March 2, 2016, the CFPB announced that it had settled an enforcement action with Dwolla, Inc., an online payment platform, for making allegedly deceptive statements regarding its data security practices and the safety of its online payment system. Dwolla agreed to pay a $100,000 civil penalty and to undertake measures to improve its data security.